A quick demo of Ansible Tower integration with Hashicorp Vault. Based on the tutorial on the Ansible Blog.
-
Vagrant 2.1.1
-
vagrant plugin install vagrant-hostmanager
-
Download Vault 0.10.1 from the download page to the git project directory
The Ansible Tower Vagrant Box 3.2.5 with Ansible 2.5.2 was used to create this demo.
Note
|
Follow instructions from the Vault Getting Started Guide if necessary. |
-
vagrant up
-
vagrant ssh tower
-
/vagrant/install-vault.sh
-
vault -autocomplete-install
-
vault server -dev
-
Save the Unseal Key and Root Token
-
Leave the server running and open a new terminal
-
Install pip
sudo yum install python-pip
-
Install required python libraries for Hashicorp Vault integration
sudo pip install hvac jmespath
-
Restart Tower
Note
|
Make sure the vault binary is on your PATH
|
-
Export the
VAULT_ADDR
variable that was printed when you started vault in dev mode:export VAULT_ADDR='http://127.0.0.1:8200'
-
Add data to vault, using the inventory host name as the key:
vault kv put secret/host-1 first_line=vault_sensitive_1 second_line=vault_sensitive_2 vault kv put secret/host-2 first_line=VAULT_some_sensitive_1 second_line=VAULT_some_other_sensitive_2
-
Clone the repo:
git clone https://github.com/bparry02/ansible-tower-hashicorp-vault.git
-
Run the playbook:
echo -e "host-1\nhost-2" > inventory ansible-playbook apache.yml -i inventory -b ansible-playbook debug.yml -i inventory -e vault_token=[TOKEN] ansible-playbook index_html_create.yml -i inventory -e vault_token=[TOKEN] -b
-
Verify with curl:
$ curl http://host-2 <body> <h1>Apache is running fine</h1> <h1>This is field "First Line": VAULT_some_sensitive_1</h1> <h1>This is field "Second Line": VAULT_some_other_sensitive_2</h1> </body>
-
Settings > Credential Types > Add
Input Configurationfields: - type: string id: vault_server_url label: URL to Vault Server - type: string id: vault_token label: Vault Token secret: true required: - vault_server_url - vault_token
Injector Configurationenv: VAULT_ADDR: '{{ vault_server_url }}' VAULT_TOKEN: '{{ vault_token }}'
-
Save
-
Settings > Credentials > Add
-
Name: Local Hashicorp Vault
-
Credential Type: Hashicorp Vault
-
Token: [TOKEN]
-
-
Save
-
Inventories > Add
-
Name:
vagrant
-
Hosts > Add Host
-
Host-Name: host-1
-
Save
-
-
Hosts > Add Host
-
Host-Name: host-2
-
Save
-
-
-
Save
-
Projects > Add
-
Name: tower-hashicorp-vault
-
SCM Type: Git
-
SCM URL: https://github.com/bparry02/ansible-tower-hashicorp-vault.git
-
SCM Credential: [git credential if required]
-
-
Save
-
Templates > Add > Job Template
-
Name: debug vault
-
Job Type: Run
-
Inventory: vagrant
-
Project: tower-hashicorp-vault
-
Playbook: debug-tower.yml
-
Credential: Machine, Local Hashicorp Vault
-
-
Run the Template
PLAY [Check Hashicorp Vault values] ******************************************** TASK [Gathering Facts] ********************************************************* ok: [host-1] ok: [host-2] TASK [check host values for first_line] **************************************** ok: [host-2] => { "msg": "First line is: VAULT_some_sensitive_1" } ok: [host-1] => { "msg": "First line is: vault_sensitive_1" } TASK [check host values for second_line] *************************************** ok: [host-2] => { "msg": "Second line is: VAULT_some_other_sensitive_2" } ok: [host-1] => { "msg": "Second line is: vault_sensitive_2" } PLAY RECAP ********************************************************************* host-1 : ok=3 changed=0 unreachable=0 failed=0 host-2 : ok=3 changed=0 unreachable=0 failed=0